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Case ID #: 288A-SF-NEW (Pending) 


Title: UNSUB(S), 
AKA MYDOOM VIRUS; 
GOOGLE - VICTIM; 
YAHOO - VICTIM; 
LYCOS - VICTIM; 
COMPUTER INTRUSIONS-CRIMINAL MATTERS 


Synopsis: Request to open a new 288A case at San Francisco 
based on reports that users of popular internet search engines 
were unable to access major search engine websites or 
experienced slowness due to the MyDoom virus, which flooded 
major search engines with automated searches. 


Enclosure(s): CNN.com website article (http://www.cnn.com) on 
the release and impact of the MyDoom virus, dated 07/26/2004. 


Details: On 07/26/2004, CNN.com (http://www.cnn.com) reported 
that internet search engines, such as Google 
(http://www.gqoogle.com), Yahoo (http://www.yahoo.com), and 


Lycos (http://www.lycos.com) were unable to provide search 
results to a number of web surfers probably due to a new 


variant of the MyDoom virus. The problem began at 
approximately 11:30AM Eastern Time. 


The virus uses search engines on infected computers 
to look for more e-mail addresses in order to keep replicating 
itself. 


It is recommended that this matter be opened and 
assigned to SA 


+4 
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UNCLASSIFIED 


o http://securityresponse.symantec.com/avcenter/venc/data/w32 
-mydoom.m@mm. html 
o http://www.f-secure.com/v-descs/mydoom m.shtml 


EMMA ttachments: 


None. 
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TECHNOLOGY TOP STORIES 

Google: MyDoom virus caused © Dems stress unity in Boston 

problems 

+ Video coach prepares athletes for Athens * CNN/Money: Big money behind conventions 
« Bloggers get convention credentials + GOP: Kerry undergoing ‘extreme makeover’ 
+ 'Bin Laden suicide’ virus hits Web * Google blames MyDoom virus 


International Edition 


Languages a CNN TV CNN International Headline News Transcripts Preferences 
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FEDERAL BUREAU OF INVESTIGATION nee 
Precedence: Routine Date 07/29/2004 
ih Director, FBI Attn: Computer Investigations Unit, Room 11887 


Computer Investigations and Infrastructure 
Threat Assessment Center 
(CID/NSD) 
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Nie SAC, San Francisco 
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Case ID #: nggA-SF- 136551- OD 


ma 


Title: Subject: UNSUB (Ss ) r A.K.A. MyDoom Virus 7 


Victim: Google, Yahoo, Lycros, Altavista i pe 
Type: Computer Intrusion: 
Date: 07/26/2004 


SUBMISSION: ) Initial O supplemental © Closed 


07 26 2004 


CASE OPENED: / / 


CASE CLOSED: / / 
C1 No action due to state/local prosecution (Name/Number: ) 
CI USA declination 


C) Refrred to Another Federal Agency (Name/Number: ) 
L] Placed in unaddressed work 


C] Closed administratively 


C] Conviction 


COORDINATION: FBI Field Office San Francisco 
Govemment Agency 
Private Corporation 


VICTIM 


Company name/Government agency: Google, Mt. View, CA; Yahoo, Santa Clara, CA; 


Address/location: Altavista, Palo Alto, CA; Lycos, Waltham, MA 


Purpose of System: _tnternet Search Engines 
Highest classification ofinformation stored in system: —§ Ss UMKNOWN 


2LRRA- SF- 146554 - OD 


t x 


To: Director, FBI 


System Data: 
Hardware/configuration (CPU): Unknown 
Operating System: 
Software: 
Security Features: 
Security Software Installed: L] yes (identify 
Logon Waming Banner: LI yes LJ no 
INTRUSION INFORMATION 


Access for intrusion: 
If Internet: Internet address: 
Network name: 


ered: sae eres DDOS 
Technique(s) used in intrusion: 
Path ofintrusion: ; F 
addresses: 1. Peay vine 3, 4. 
country: 1. 2. 3. 4. 
facility: 1, 2. 3. 4. 
Subject: Unknown 
Age: Race: 
Sex: Education: 
Alias(s): 
Group Affiliation: 
Employer: 
Known Accomplices: 
Equipment used: 
Hardware/configuration (CPU): 
Operating System: 
Software: 
Impact: 
Compromise of classified information: CL] yes KI no 
Unknown 


Estimated number of computers affected: 
Estimated dollar loss to date: 


@.. SAC, San Francisco 6 


Re: 28&-SF-136551 , Date 07/29/2004 


Unknown 


CH Intemet connection 1 dial-up number 


Unknown 


C1 no 


L] LAN (insider) 


(list provided) 


m 


Motive: 
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‘ ‘To: Director, FBI : SAC, San Francisco @ 
Re: 288-A-SF-1365 8 Date 07/29/2004 


Category of Crime: 
Impairment: Theft of Information: 
L] Malicious code inserted L] Classified infrmation compromised 
Denial of service CI Unclassified in®rmation compromised 
[] Destruction of information/software [1 Passwords obtained 
C1 Modification of infdrmation/sofware [] Computer obtained 
[] Telephone services obtained 
C] Application software obtained 
CL) Operating software obtained 
Intrusion: 


C] Unauthorized access 
L] Exceeding authorized access 


REMARKS 


On 07/26/2004, popular internet search engines were unable to provide 
search results to a number of web surfers due-to a new variant of the MyDoom 


* virus ° 


The virus uses search engines to look for more e-mail addresses in order 
to keep replicating itself. 
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Top Screen 
Protocol Attacks: 
7p 
El TCP 
O UDP 
O FTP 
O Telnet 
O TFTP 
O r commands 
O SMTP 
O HTTP 
O gopher 


X11 window 


Menu 
Technology(s) Used: 

Secondary Screen 

O spoofing attack 

O source routing 

C] sequence number attack 

O spoofing attack 

CO flooding 

C vulnerable version 

O SITE EXEC 

O overload FTP buffer 

C] anonymous FTP 

O highjacking 

O packet sniffing 

CO rsh 

O rlogin 

O vulnerable version 

O spoofing 

O embedded postscript attack 

O trojan horse attack 

O syslog attack 

Ci flooding 

O MIME 

O flooding 

O Telnet to HTTP port 
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Top Screen 

O DNS 

O SNMP 
C] FSP 

C NFS 
Other Attacks: 
XX Worm 


O Social engineering 

O Scavenging and reusing 
0 Masquerading 

L] Scanning 

O Trojan Horse 


oO Other 
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vulnerable version 
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DERA-SQHiscesy @ Bee 
U.S. Department of Justice _ 


Federal Bureau of Investigation 


In Reply, Please Refer to 450 Golden Gate Ave. 

File No. 98g A-SF- A96551-4 PO Box 36015 
San Francisco, CA 94102 
(415) 553-7400 
July 28, 2004 


ycos Lega epartment 


This letter is to document the conversation yesterday, 
07/27/2004, regarding our investigation into the impact of the MYDOOM 
COMPUTER VIRUS on your organization. Parties to the conver i 
included yourself, Special Agents andl | 


If you have any further questions, or additional 
information, please contact Special Agent 


Sincerely, 


Mark J. Mershon 
Special Agent in Charge 


Es | Agent 
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Last Transaction 
Date Time Type Identification Duration Pages Result 


Jul28 3:42pm FaxSent [i 0:22 1 OK 
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FEDERAL BUREAU OF INVESTIGATION 


Date of transcription 08/16/2004 


On August 11, 2o0a,[ __| Legal Counsel at Google, 
in Mountain View, California, telephone number 650/623-6048, was 
interviewed telephonically and advised of the identity of the 


interviewing agent and the nature of the interview. [~___] provided 
the following information: 


GOOGLE is not currently experiencing any affects from the 
MYDOOM virus that initially struck on July 26, 2004. [-__] advised 
that representatives from GOOGLE are working on preparing an 
analysis of the financial loss suffered by GOOGLE due to the MYDOOM 
virus. believes it will be approximately $100,000. 


[_ J advised that she has the IP addresses of the first 
ten hosts that queried the GOOGLE search engine related to the 
MYDOOM attack and said that she would send the information to me 
via email. The resulting email is attached to and made a part of 


this FD-302. 
Investigation on 08/11/2004 at Quantico, Virginia (telephonically) 
File # 288A-SF-136551—- 4 Date dictated 08/16/2004 
yw sq 
This document contains neither recommendations nor conclusions of the FBI. It is the property of the FBI and is loaned to your agency; 
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FEDERAL BUREAU OF INVESTIGATION 


Date of transcription 07/27/2004 


uly 27, 2004, 

LYCOS in San Francisco, California, telephone number 
(650) 428-5000, was interviewed telephonically and advised of the 
identity of _the interviewing agents and the nature of the 
interview. provided the following. information: 


Between 8:30AM and 9:00AM Eastern Daylight Time (EDT) on 
07/26/2004, the servers at Lycos were impacted by the MYDOOM virus. 
Between 9:00AM and 10:00AM eastern, legitimate web users' 
availability to search results conducted by LYCOS was at 37%. By 
11:00AM eastern, availability was less than 4%. 


By 7:30PM eastern, LYCOS had implemented filters on 
searches coming into the servers on certain text strings like 
"mail", "reply", "rept", and "contact" that they noted were being 
queried by the virus. By applying these filters, they were able to 
block the searches committed by the virus and allow regular users 
to access the search functions of LYCOS. LYCOS could not simply 
block an Internet Protocol (IP) address or range of IP addresses 
because of the distributed nature of the virus. 


[__Jnotea that traffic to the LYCOS website was at 
approximately 50 times normal levels on 07/26/2004 and continues to 
fluctuate between 30 and 50 times normal levels on 07/27/2004, but 
that, due to the filters implemented by LYCOS, their search 
functions are running normally for most users. 


Investigation on 07/27/2004 at San Jose, California (telephonically) 
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FEDERAL BUREAU OF INVESTIGATION 


Date of transcription 07/27/2004 


On July 27, 2004, 
and MCAFBE, telephone 
number (503)460-4484, were interviewed telephonically and advised 
of the identity of the interviewing agents and the nature of the 
interview. [na [___] provided the following 
information: 


The 15th variant of the MYDOOM virus was first noticed by 
MCAFEE on July 26, 2004 at approximately 6:30AM pacific time. The 
virus affected major search engines while trying to search for 
additional email addresses to send itself to, as well as several 
corporate customers whose mail servers were temporarily 
overwhelmed. 


The virus harvests email addresses from a local, infected 
computer, then searches the domain name of the email addresses 
through the major internet search engines, in an attempt to locate 
additional email addresses. _While the search engines were flooded 
with searches,[ | and[ | believe they were not the 
primary target. 


The virus also installs a backdoor on TCP Port 1034 that 
future users and/or viruses can exploit. MCAFEE has already seen 
viruses discovered on July 27, 2004 that exploit this open port, 
but does not think they were necessarily written by the same author 
as the MYDOOM virus. 


es ee that there was nothing unique 
or identifying about the virus executable. They do not have the 


source code of the virus. 
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Approved By: [= 
Drafted By: [wl HY 


Case ID #: 288A-SF-136551- & (Pending) 


Title: UNSUB(S) 
aka MYDOOM VIRUS; 
GOOGLE - VICTIM; 
YAHOO - VICTIM; 
LYCOS - VICTIM; 
COMPUTER INTRUSIONS-CRIMINAL MATTERS 


Synopsis: Request to close captioned matter. 


Details: At 11:30AM Eastern time on 07/26/2004, internet 
search engines Google (http://google.com), Yahoo 
(http://yahoo.com), and Lycos (http://lycos.com) were unable 
to provide search results to a number of users for several 
hours due to a variant of the MyDoom virus (Mydoom.m) and 
Zindos worm. 


On 07/28/2004, Special Technologies and Applications 
Section (STAS) assistance was requested in analyzing the 
source code of Mydoom.m and Zindos. 


On 12/14/2004, STAS advised that the analysis of 
Mydoom.m and Zindos was complete. Strings and source code of 
the virus/worm were examined for clues as to the identity of 
the author, but none were found. 


Determination of the original author is therefore 
deemed impossible and the case is being closed. 


Ad 


SF Field Intelligence Group | Cus ed es 


Cle 03/21/05 
wy >" oe 


Potential Intel Value: Yes KNo 4} 
Reviewed By:_*" Date: _I2/i7/o! 


i S-Drive Location: 
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owing investigation was conducted by Special 
Agent 


On December 14, 2004, Special Agent[___| received 
from STAS the Technical Lead Report on the Analysis of Mydoom- 
M/Zindos Worms. The report found no clues as to the identity 
of the author of either computer worm. The report is attached 
to and made a part of this document. 
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FEDERAL BUREAU OF INVESTIGATION 
CYBERDIVISION 
SPECIAL TECHNOLOGIES AND APPLICATIONS SECTION 
TECHNICAL ANALYSIS UNIT 
TECHNICAL LEAD REPORT 


FOR LEAD PURPOSES ONLY 


Tol Cid Date: 11/22/04 
DISTRIBUTION TO: XXX 
Submitter’s Case Number: 288A-SF-136551 


RE: ANALYSIS OF MYDOOM-M/ZINDOS WORMS 


Title: Anaysis of Mydoom-m/zindos worms 


Electronic Location: \\smb00\cases\ProductReports\2004,_ Reports\STAS- 


PREPAREDBY| i PHONENOMBER[____—| 
APPROVED: XXX PHONE NUMBER: XCXX 


STAS CONTROL FILE: 288A-SF-136551 PRIMARY REPORT ID: ST'AS04-XXXXK 
MATS ID: 2004-XxXX 


THIS REPORT IS FURNISHED FOR OFFICIAL USE ONLY. NO PART OF THIS REPORT MAY BE DISCLOSED TO ANY THIRD PARTY WITHOUT THE 
EXPRESS WRITTEN CONSENT OF THE FBI/CYD 


UNCLASSIFIED 
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1. Media Type and Quantity: 1 CD w/zip file containing Mydoom-m worm 


z. Analysis Requested: 


e Assist in analysis of Mydoom-M Virus 
¢ Obtain a copy of zindos worm and analyze 


BABExecutive Summary: 


A copy of the Zindos worm was obtained. Both Zindos and Mydoom-m (provided) were analyzed using IDA Pro (static 
disassembly of binary). Strings and code were examined for clues as to the identity of the author, but none were found. 


WM Details of Analysis: 
Zindos worm 


¢ <Acopy of the zindos worm was obtained from a 3ed party source. 
e It was loaded into IDA Pro for disassembly and analysis 
e Disassembly revealed that zindos goes into a tight loop (every 50ms) trying to connect to www.microsoft.com 


¢ The code was examined looking for identifying information such as names, email addresses, comments or IP addresses that 
might help identify the author. None were found. 


Mydoom-m worm 


e The worm was run in isolation and network traffic was recorded. Without being able to reach the Internet, the worm 
performs lookups for the mail server (MX) for the following domains: 


13 cvs.tartarus.org: type MX, class inet 

13 gto.net.om: type MX, class inet 

13 kohls.com: type MX, class inet 

14 lebanon-online.com.lb: type MX, class inet 
14 msdirectservices.com: type MX, class inet 

17 petri.co.il: type MX, class inet 

14 target.com: type MX, class inet 

14 tucows.com: type MX, class inet 

13 ultraschallpiloten.com: type MX, class inet 


(the number in front is a count of the occurrences during the test run). 


[Analyst Comment on above list: It is likely that this is a list of known “open relays” at the time the worm was released. 
The intent is likely to use them to send the initial round of messages.] 


¢ Mydoom-m was loaded into IDA Pro for disassembly and static analysis. A cursory analysis of the code was consistent with 
analysis provided by commercial anti-virus vendors and security organizations at 


o http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM MYDOOM.M 
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| TECHNOLOGY | 


Google says MyDoom virus caused problems 


Monday, July 26, 2004 Posted: 4:21 PM EDT (2021 GMT) 


(CNN) -- The No. 1 Internet search engine 
on Monday was unable to provide search 
results to a number of Web surfers, 
probably because of a variant of the 
MyDoom virus. 


Users of other popular search engines such as 
Yahoo and Lycos may also have experienced some 
sluggish behavior. 


Google released a statement to CNN at 3 p.m. ET 
saying the site "experienced slowness for a short 
period of time early today because of the MyDoom 
virus, which flooded major search engines with 
automated searches. 


RELATED 
« CNN/Money: Google IPO worth up to $3.38 


"A small percentage of our users and networks that 
have the MyDoom virus have been affected for a 
longer period of time. At no point was the Google 
Web site significantly impaired, and service for all 
users and networks is expected to be restored 


shortly." YOUR E-MAIL ALERTS 


According to several media accounts, the problem 
began about 11:30 a.m. ET, and by 3 p.m. the site 
seemed to be running smoothly again. 


Cc Google 


C \Pos 


The SANS Institute and other security firms issued 
a release shortly after the problem was detected 
saying a new variant of the MyDoom virus could be 
to blame. The latest incarnation of the troublesome 
virus uses search engines on infected computers to 
look for more e-mail addresses in order to keep 
replicating itself. 


C ontine 


Cc Computing and Information Technology 


‘Activate: 


or CREATE YOUR OWN. 
Experts contacted by CNN were unable to 


determine the exact magnitude of the probiem. Tar 
Manage alerts | What is this? 


Some users across the United States reported no 
trouble with Google or other search engines. 


For other people, although the main Google page was able to load, they reported seeing a "server error" 
message when trying to conduct a search. 


Google also announced details of its initial public offering Monday, with share prices of between $108 and 
$135. Experts consider those figures to be very high, leading some observers to initially speculate that 
Google was the victim of a vindictive hacker attack. iy -k ie ee 
boy . = 7 
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